Article Details

CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing. Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. The malware loader, first observed in the wild earlier this year, has been used to distribute DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and even other loaders like Hijack Loader. "It employs dead code injection and packing techniques to hinder analysis," the company said. "After unpacking itself at runtime, it connects to a C2 (command-and-control) server, downloads target modules, and executes them." CastleLoader payloads are distributed as portable executables containing an embedded shellcode, which then invokes the main module of the loader that, in turn, connects to the C2 server in order to fetch and execute the next-stage malware. Attacks distributing the malware have relied on the prevalent ClickFix technique on domains posing as software development libraries, videoconferencing platforms, browser update notifications, or document verification systems, ultimately tricking users into copying and executing PowerShell commands that activate the infection chain. Victims are directed to the bogus domains through Google searches, at which point they are served pages containing fake error messages and CAPTCHA verification boxes developed by the threat actors, asking them to carry out a series of instructions to supposedly address the issue. Alternatively, CastleLoader leverages fake GitHub repositories mimicking legitimate tools as a distribution vector, causing users who unknowingly download them to compromise their machines with malware instead. "This technique exploits developers' trust in GitHub and their tendency to run installation commands from repositories that appear reputable," PRODAFT said. PRODAFT said it has observed Hijack Loader being delivered via DeerStealer as well as CastleLoader, with the latter also propagating DeerStealer variants. This suggests the overlapping nature of these campaigns, despite them being orchestrated by different threat actors. Since May 2025, CastleLoader campaigns have leveraged seven distinct C2 servers, with over 1,634 infection attempts recorded during the time period. Analysis of its C2 infrastructure and its web-based panel—which is used to oversee and manage the infections – shows that as many as 469 devices were compromised, resulting in an infection rate of 28.7%. "Castle Loader is a new and active threat, rapidly adopted by various malicious campaigns to deploy an array of other loaders and stealers," PRODAFT said. "Its sophisticated anti-analysis techniques and multi-stage infection process highlight its effectiveness as a primary distribution mechanism in the current threat landscape." "The C2 panel demonstrates operational capabilities typically associated with malware-as-a-service (MaaS) offerings, suggesting the operators have experience in cybercriminal infrastructure development."